Application properties¶

Property	Default	Example	Description
ONEGINI_IDP_CCC_COOKIE_CONFIG_SECURE	false	true or false	If true, the cookies can only be read on https.
ONEGINI_IDP_CCC_COOKIE_CONFIG_PATH	/		The base path for the cookies.
ONEGINI_IDP_CCC_COOKIE_CONFIG_SAMESITE	`lax`	`strict`, `lax`, `none`	`SameSite` cookie attribute declares if the cookies should be restricted to a first-party or same-site context.
ONEGINI_IDP_CCC_COOKIE_CONFIG_PREFIXCOOKIESFORMORESECURITY	`true`	`true` or `false`	Enables or disables prefixing cookies with `__Secure-` or `__Host-` values. See below for more information.
ONEGINI_IDP_CCC_COOKIE_CONFIG_XSRFCOOKIENAME	`XSRF-TOKEN`		XSRF cookie name. Mind that it might get prefixed with either `__Secure-` or `__Host-` value.

`SameSite` Cookie attribute¶

strict - The cookie will only be sent if the site for the cookie matches the current site URL. The cookie will not be sent along with requests initiated by third party websites.
lax - The cookie will only be sent if the site for the cookie matches the current site URL. The cookie will be sent along with only the GET request initiated by third party website.
none - The cookie will be sent cross-origin. This directive requires the Secure attribute.

Cookie's secure prefixes¶

The cookies can be prefixed for more security. Browsers do respect the __Secure and __Host prefixes as more than just a naming convention. These prefixes are part of the Secure Cookie specification, and they provide additional security constraints for cookies. The use of these prefixes affects how cookies are treated by the browser and helps mitigate certain security risks.

__Secure prefix: When a cookie has the __Secure prefix, the browser enforces that the cookie is only sent over secure (HTTPS) connections. If a page tries to set or send such a cookie over an unencrypted connection (HTTP), the browser will prevent it.
__Host prefix: The __Host prefix, in addition to enforcing the secure attribute, restricts the cookie to the exact domain that set the cookie. It prevents the cookie from being sent to subdomains. This adds an extra layer of security against certain attacks, such as CSRF.

If the ONEGINI_IDP_CCC_COOKIE_CONFIG_PREFIXCOOKIESFORMORESECURITY is set to true (default), the application will automatically add a proper prefix, depending on general cookie configuration:

__Secure-: when the Secure attribute is set to true and the Domain attribute has value. Those attributes decide if the cookie should be sent via the secure connection (HTTPS) only but subdomains are allowed.
__Host-: when the Secure attribute is set to true and the Domain attribute is empty. Those attributes decide if the cookie should be sent via the secure connection (HTTPS) only and subdomains are not allowed.

Proxy configuration¶

If Onegini Customer Service runs behind a proxy (Apache Httpd, Nginx) that does SSL offloading, extra configuration is needed to take care of correct redirects. Otherwise internal redirects will bring the user from https to http.

Property	Default	Example	Description
ONEGINI_IDP_CCC_CONTAINER_PROXY_ENABLED	false	true or false	Set `true` if the proxy handles SSL offloading.
ONEGINI_IDP_CCC_CONTAINER_SCHEME		http or https	Set `https` if the proxy handles SSL offloading.
ONEGINI_IDP_CCC_CONTAINER_PROXY_NAME		myapp.example.com	Name of the proxy server.
ONEGINI_IDP_CCC_CONTAINER_PROXY_PORT		80 or 443	Port of the proxy server.

IFrame configuration¶

Onegini Customer Service by default does not allow to be displayed inside iframe. This behaviour can be changed by setting correct properties

Property	Default	Example	Description
ONEGINI_IDP_CCC_X_FRAME_OPTIONS	SAMEORIGIN	DENY	SAMEORIGIN

Search keys¶

Property	Default	Example	Description
ONEGINI_IDP_CCC_IDP_PERSON_SEARCH_KEYS_EMAIL	false	true or false	Enable or disable search by email.
ONEGINI_IDP_CCC_IDP_PERSON_SEARCH_KEYS_PHONE	false	true or false	Enable or disable search by phone number.

Person details custom message¶

Custom HTML based message can be shown in the person details view, directly below the Account section. To add such message, define the property ONEGINI_IDP_CCC_EXTENSION_PERSON_DETAILS_CUSTOM_MESSAGE, e.g. ONEGINI_IDP_CCC_EXTENSION_PERSON_DETAILS_CUSTOM_MESSAGE=<h2>Warning</h2>

The custom HTML message can be shown (below ONEGINI_IDP_CCC_EXTENSION_PERSON_DETAILS_CUSTOM_MESSAGE custom message) for external users only. To add such message, define the property ONEGINI_IDP_CCC_EXTENSION_PERSON_DETAILS_EXTERNAL_USER, e.g. ONEGINI_IDP_CCC_EXTENSION_PERSON_DETAILS_EXTERNAL_USER=<h2>External user</h2>

If any of the variables is defined via docker-compose and the value contains double quotation marks make sure the entire key-pair is wrapped in single quotation marks e.g. 'ONEGINI_IDP_CCC_EXTENSION_PERSON_DETAILS_CUSTOM_MESSAGE=<h2 style="color: red; border: 2px solid red; background-color: yellow; padding: 10px;">Warning</h2>' .

Profile fields management¶

You can configure which fields of user's profile are editable on user's profile view. This can be configured using the following environment properties:

Property	Default	Example	Description
ONEGINI_IDP_CCC_PERSON_PROFILE_EDITABLE_PROFILE_FIELDS	`EMAIL_ADDRESS`	`EMAIL_ADDRESS,PHONE_NUMBER`	Comma separated list of editable profile fields. Supported values: `EMAIL_ADDRESS`, `PHONE_NUMBER`, `DATE_OF_BIRTH`
ONEGINI_IDP_CCC_VALIDATION_PHONE_NUMBER	`^\\+[1-9](?:[0-9]){4,14}$`	^+31[0-9]{4,14}$	Regular Expression that should be applied to phone number validation.
ONEGINI_IDP_CCC_VALIDATION_EMAIL_ADDRESS	`.+@.+`	[email protected]	Regular Expression that should be applied to email address validation.

Custom attributes management¶

Custom attributes management can be configured as described in custom attributes management topic guide.

Property	Default	Example	Description
ONEGINI_IDP_CCC_PERSON_PROFILE_EDITABLE_CUSTOM_ATTRIBUTES		attr1,attr2,attr3	Comma separated list of custom attribute names that user is able to add, edit and delete. An **
empty value** means that this feature is disabled.

Person Creation¶

The feature to create a new user can be enabled/ disabled.

Property	Default	Example	Description
ONEGINI_IDP_CCC_PERSON_PROFILE_CREATE_ENABLED	false	true	If true the feature to add user via form is enabled.

Device management¶

The device management can be enabled and configured using below environment variables. See the Manage devices topic guide for details.

Property	Default	Description
TOKEN_SERVER_DEVICE_MANAGEMENT_ENABLED	false	Enables management of user's devices.
TOKEN_SERVER_DEVICE_MANAGEMENT_IGNORED_EVENT_TYPES	API_EVENTS_LISTED, API_DEVICES_LISTED, API_DEVICES_NO_DATA_FOUND	Comma separated list of events that should not be displayed in Onegini Customer Service.

This feature requires access to the Onegini Token Server's End User and Event APIs. Make sure the API connection is setup properly.

User device verification¶

The device verification allows to initiate a mobile authentication in order to verify user device. See the Verify user devices topic guide for details.

Property	Default	Description
TOKEN_SERVER_DEVICE_VERIFICATION_AUTHENTICATION_CONFIG_NAME		The Mobile Authentication type that will be initiated as part of user device verification flow. The value must match with the configuration on the Token Server side.
TOKEN_SERVER_DEVICE_VERIFICATION_APP_URL_FOR_CALLBACK		UMA application base URL that is used for creating a callback URL (must be accessible from the Token server) e.g. https://uma.onegini.com

This feature requires access to the Onegini Token Server's Mobile Authentication APIs. Make sure the API connection is setup properly.

Content Security Policy¶

Content Security Policy (CSP) adds additional layer of security that is used to detect and mitigate XSS and data injections attacks.

Property	Default	Description
ONEGINI_IDP_CCC_CSP_HEADER_VALUE		`Content-Security-Policy` header value

Coupling¶

Property	Default	Description
ONEGINI_IDP_CCC_PERSON_PROFILE_ALLOW_DECOUPLING_LAST_IDP	false	Enables possibility to decouple last identity provider